pkinit slotid=N ?
Douglas E. Engert
deengert at anl.gov
Tue Jan 8 18:06:24 EST 2008
Glenn Barry wrote:
> I had the Solaris KMF (Key Management Framework) team review the pkinit
> options in MIT Kerberos V 1.6.3-beta1 and for this one:
> they noted that slotid= is not a good idea as there is no guaranteed
> ordering of numbering of slots returned from C_GetSlotList().
> That is, slot or token names are useful but numbers are not.
> I see slotid= is optional but was wondering if it was useful for anybody?
> (And likewise for certid=)
(Well its still beta.) But the main issue is is how does a user use pam_krb5
to login with a minimal amount of information from the user and do it quickly.
The parameters were enough to get it to work with one type of card.
But there may be more then one type of card in use at an organization.
Different cards might also require different PKCS#11 modules.
even if they ca use the same PKCS#11 they might have different labels,
and different certids on each type of card.
Some cards have more the one certificate, which one to use?
Much of the testing of the code has been done with OpenSC PKCS#11 (We are using
HSPD-12 PIV test cards as well as some GemSAFE cards.) With some cards OpenSC
can allocate two slots, as slots don't translate directly to readers.
The other choice is to read all the certs that can be read from any slots/readers
and to look at attributes in the cert to determine if it is usable for
login, but this might take some time and has some other drawbacks.
When you are looking at this, also consider pam_krb5 could prompt for additional
information for the user.
> Glenn Barry
> Solaris Kerberos
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev